Ransomware Gang Targets Android Phones

The Reveton Gang is at it again. This time, though, they're targeting users of Android phones -- typically visitors to porn sites.

The gang that pioneered the idea of locking up a target's computer and demanding a ransom to unlock it has turned its attention to the rapidly growing mobile market.

Once Reveton mobile infects a phone, it will display a bogus warning from a fractured local law enforcement authority. In the U.S. it's "Mandiant U.S.A. Cyber Security/FBI Department of Defense/U.S.A. Cyber Crime Center."

Needless to say, the gang doesn't know a lot about the U.S. government or law enforcement, but that's irrelevant to someone whose phone is suddenly bricked until the online extortionists get their payment.

The gang's tactics haven't changed since they introduced their malware years ago.

"Just as its Windows-based variant, it performs a geolocation lookup for the device's IP and displays a customized page using some local law enforcement branding," explained Bogdan Botezatu, a senior e-threat analyst with
Bitdefender.

"In order to get their phones back," he told TechNewsWorld, users must "pay a $300 fine via untraceable payment mechanisms such as Paysafecard or uKash."

A phone can acquire the ransomware just by visiting an infected porn site, Botezatu explained. However, some user interaction is needed to install the bad app once it reaches a phone.

Pure Ransomware

Although the malware's warning screens claims the app encrypts all data on the phone, making the data inaccessible, that claim may be dubious.

"It's been hard for anyone to find any evidence of that," David Britton, vice president of industry solutions for
41st Parameter, told TechNewsWorld.

"This is more scareware than anything else. What we find is that when these things are marketed to the world, the claims about what they can do are sometimes more robust than what they actually do," he said.

"The marketing efforts of the bad guys can be impressive," added Britton, "but the capability of the actual technology can be less than that."

Rather than encrypt all the data on the phone as CryptoLocker does on a PC, mobile Reveton is pure ransomware. "It puts a wrapper over all the interfaces and UIs," JD Sherry, vice president of technology and solutions for Trend Micro, told TechNewsWorld. "So a user can't do anything because malware has system-level access."

The malware doesn't make the effort to obtain the permissions it would need to encrypt data on an Andoid phone, Botezatu explained.

"The cybercriminals wanted to keep it simple," he said. "This might be the first iteration -- a test case, if you will -- of a very successful breed of mobile ransomware."

The arrival of ransomware on the mobile scene is just the beginning of a gathering storm.

"This is going to be massive," Sherry said. "This will be the year that we see a tremendous amount of malware hitting mobile phones, and I don't think consumers and organizations are prepared to handle these attacks once they migrate to mobile devices."

Dropbox Boo-Boo

Dropbox grappled last week with vulnerability in its user file-sharing system. It seems that there are activities performed with the links -- typing them into a search engine, for example -- that can allow unintended parties to use them.

The problem, discovered by
Intralinks, isn't limited to Dropbox, said Sri Chilukuri, vice president of enterprise product marketing at Intralinks.

Most file-sharing services allow you to share files with others by sending them a link. Whoever clicks on that link -- whether it's who you thought you sent the link to or not -- can see the file at the end of the link.

To address that issue, some sharing services allow a user to require authentication by the person who's supposed to click the link -- perhaps requiring the recipient to log into the file-sharing service, for instance, before the link can be executed.

"With Dropbox's consumer product, there's no choice at all for authentication," Chilukuri told TechNewsWorld. That can create some security risks for consumers.

In addition to its consumer product, Dropbox has an enterprise product. However, authentication is turned off by default.

"Since those users don't know about this issue, they send unauthenticated links as well. In fact, many of the files we found when we uncovered these links were business files related to company IP," Chilukuri pointed out.

"The key message here," he said, "is that people have to very cautious about using this type of product for sharing sensitive information."

Breach Diary

May 5. Ninth Annual Ponemon Cost of Data Breach Study finds average cost of a data breach increased 15 percent over the last year to US$3.5 million.

May 6. Kaspersky Lab reports spam volumes declined by 6.42 points from the fourth quarter of 2013 to the first quarter of this year. However, first quarter volumes compared to the same period in 2013 were about the same, with 66 percent of all email traffic being spam.

May 6. Molina Healthcare in New Mexico notifies some 5,000 former members their addresses and possibly Social Security numbers were compromised on post cards mailed by the organization. A year of identity protection services is being offered to anyone affected by the breach.

May 7. Lookout Mobile Security releases report on smartphone theft finding most common site for snatching mobiles to be restaurants (16 percent), followed by bar or nightclub (11 percent), work (11 percent), and public transportation (6 percent).

May 7. French telecom Orange discloses personal data of some 1.3 million customers stolen by hackers. In February, personal information for 800,000 customers was stolen from the company.

May 7. Georgetown, Texas, police retract statement that a man they arrested for credit card fraud was connected to Target data breach in 2013.

May 7. Security researcher Yngve Nysæter Pettersen reveals that some 2,500 servers free of the Heartbleed bug were infected with it when their administrators installed a buggy upgrade on the machines. He estimates cost of cleaning up error to be $12 million.

May 7. House Judiciary Committee approves and sends to House the USA Freedom Act, which scales back U.S. government domestic surveillance programs.

May 7. Microsoft reports the average number of Windows computers infected with malware jumped at the end of 2013, to 17 per 1,000 in the fourth quarter from 5.8 per 1,000 in quarter three.

May 8. Check Point releases annual security report finding 63 percent of organizations are infected by bots and more than half of organizations (54 percent) have had at least one data loss incident in 2013.

May 8. New York-Presbyterian Hospital and Columbia University Medical Center agree to pay U.S. HHS Office for Civil Rights a $4.8 million joint settlement over a 2010 data breach that compromised 6,800 patient records.

May 8. Survey by Atomic research and Tripwire finds more than a third (35 percent) of retail and financial institutions need more than two days to discover a data breach of their systems.

May 8. URL shortening service Bitly resets all users passwords after discovering compromise of users' credentials.

May 9. South Carolina legislature votes to keep secret report on data breach at state tax department last fall that compromised personal information of some 6.3 million taxpayers, businesses and children.

May 9. Errata Security estimates that 318,239 servers still remain vulnerable to the Heartbleed bug, nearly a 50 percent drop from the number vulnerable when the flaw was first discovered about a month a ago.

May 9. Twitter activates feature that allows users to reset their password using SMS messaging.

May 20. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.

June 3. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.

June 24. Meeting on Commercial Use of Facial Recognition Technology. 1-5 p.m. ET. Held by National Telecommunications and Information Administration at American Institute of Architects, 1735 New York Ave. NW, Washington, D.C.